08e8d462fe
RED PILL 🔴 💊
122 lines
5.1 KiB
Text
122 lines
5.1 KiB
Text
/*
|
|
LICENSE
|
|
Copyright (C) 2015 JPCERT Coordination Center. All Rights Reserved.
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions are met:
|
|
|
|
1. Redistributions of source code must retain the above copyright notice,
|
|
this list of conditions and the following acknowledgments and disclaimers.
|
|
2. Redistributions in binary form must reproduce the above copyright notice,
|
|
this list of conditions and the following acknowledgments and disclaimers
|
|
in the documentation and/or other materials provided with the distribution.
|
|
3. Products derived from this software may not include "JPCERT Coordination
|
|
Center" in the name of such derived product, nor shall "JPCERT
|
|
Coordination Center" be used to endorse or promote products derived
|
|
from this software without prior written permission. For written
|
|
permission, please contact pr@jpcert.or.jp.
|
|
|
|
ACKNOWLEDGMENTS AND DISCLAIMERS
|
|
Copyright (C) 2015 JPCERT Coordination Center
|
|
|
|
This software is based upon work funded and supported by the Ministry of
|
|
Economy, Trade and Industry.
|
|
|
|
Any opinions, findings and conclusions or recommendations expressed in this
|
|
software are those of the author(s) and do not necessarily reflect the views
|
|
of the Ministry of Economy, Trade and Industry.
|
|
|
|
NO WARRANTY. THIS JPCERT COORDINATION CENTER SOFTWARE IS FURNISHED ON
|
|
AN "AS-IS" BASIS. JPCERT COORDINATION CENTER MAKES NO WARRANTIES OF
|
|
ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
|
|
NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,
|
|
EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE SOFTWARE. JPCERT
|
|
COORDINATION CENTER DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH
|
|
RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
|
|
|
|
This software has been approved for public release and unlimited distribution.
|
|
*/
|
|
|
|
rule APT_CobaltStrike_Beacon_Indicator {
|
|
meta:
|
|
description = "Detects CobaltStrike beacons"
|
|
author = "JPCERT"
|
|
reference = "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py"
|
|
date = "2018-11-09"
|
|
id = "8508c7a0-0131-59b1-b537-a6d1c6cb2b35"
|
|
strings:
|
|
$v1 = { 73 70 72 6E 67 00 }
|
|
$v2 = { 69 69 69 69 69 69 69 69 }
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
|
}
|
|
|
|
rule HKTL_CobaltStrike_Beacon_Strings {
|
|
meta:
|
|
author = "Elastic"
|
|
description = "Identifies strings used in Cobalt Strike Beacon DLL"
|
|
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
|
|
date = "2021-03-16"
|
|
id = "af558aa2-a3dc-5a7a-bc74-42bb2246091c"
|
|
strings:
|
|
$s1 = "%02d/%02d/%02d %02d:%02d:%02d"
|
|
$s2 = "Started service %s on %s"
|
|
$s3 = "%s as %s\\%s: %d"
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule HKTL_CobaltStrike_Beacon_XOR_Strings {
|
|
meta:
|
|
author = "Elastic"
|
|
description = "Identifies XOR'd strings used in Cobalt Strike Beacon DLL"
|
|
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
|
|
date = "2021-03-16"
|
|
/* Used for beacon config decoding in THOR */
|
|
xor_s1 = "%02d/%02d/%02d %02d:%02d:%02d"
|
|
xor_s2 = "Started service %s on %s"
|
|
xor_s3 = "%s as %s\\%s: %d"
|
|
id = "359160a8-cf1c-58a8-bf7f-c09a8d661308"
|
|
strings:
|
|
$s1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x01-0xff)
|
|
$s2 = "Started service %s on %s" xor(0x01-0xff)
|
|
$s3 = "%s as %s\\%s: %d" xor(0x01-0xff)
|
|
|
|
$fp1 = "MalwareRemovalTool"
|
|
condition:
|
|
2 of ($s*) and not 1 of ($fp*)
|
|
}
|
|
|
|
rule HKTL_CobaltStrike_Beacon_4_2_Decrypt {
|
|
meta:
|
|
author = "Elastic"
|
|
description = "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2"
|
|
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
|
|
date = "2021-03-16"
|
|
id = "63b71eef-0af5-5765-b957-ccdc9dde053b"
|
|
strings:
|
|
$a_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
|
|
$a_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule HKTL_Win_CobaltStrike : Commodity {
|
|
meta:
|
|
author = "threatintel@volexity.com"
|
|
date = "2021-05-25"
|
|
description = "The CobaltStrike malware family."
|
|
hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c"
|
|
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
|
|
id = "113ba304-261f-5c59-bc56-57515c239b6d"
|
|
strings:
|
|
$s1 = "%s (admin)" fullword
|
|
$s2 = {48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00}
|
|
$s3 = "%02d/%02d/%02d %02d:%02d:%02d" fullword
|
|
$s4 = "%s as %s\\%s: %d" fullword
|
|
$s5 = "%s&%s=%s" fullword
|
|
$s6 = "rijndael" fullword
|
|
$s7 = "(null)"
|
|
condition:
|
|
all of them
|
|
}
|